Byt0r's Place: "inside information.doc" (zl5.exe, fxsst.dll, common.cfg)

This post is a couple months overdue, but I didn't have a blog then so it was a little difficult to make a post. Anyway, this is more or less a follow on to the contagio post (http://contagiodump.blogspot.com/2012/04/cve2012-0158-south-china-sea-insider.html), in which Mila posted several samples involving the exploit. However, I haven't looked at them all yet, but I did check out "inside information.doc"- mainly because it was the English version, and pasted below is what I found. I should note that some of this is a repeat from previous posts I've seen, but I don't recall seeing anything on "common.cfg" which I found to be most interesting. So without any further ado...I bring you "inside information.doc" (okay, I'll stop with the theatrics)

"inside information.doc" is a malicious RTF file that contains an embedded binary named "a.exe" located at offset 6878. Moreover, the binary is obfuscated with a single byte XOR key (0xAC) (see below for a comparative look).

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00006870 AC AC AC AC AC AC AC AC E1 F6 3C AC AF AC AC AC ¬¬¬¬¬¬¬¬áö<¬¯¬¬¬

00006880 A8 AC AC AC 53 53 AC AC 14 AC AC AC AC AC AC AC ¨¬¬¬SS¬¬.¬¬¬¬¬¬¬

00006890 EC AC AC AC AC AC AC AC AC AC AC AC AC AC AC AC ì¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬

000068A0 AC AC AC AC AC AC AC AC AC AC AC AC AC AC AC AC ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬

000068B0 AC AC AC AC 7C AC AC AC A2 B3 16 A2 AC 18 A5 61 ¬¬¬¬|¬¬¬¢³.¢¬.¥a

000068C0 8D 14 AD E0 61 8D F8 C4 C5 DF 8C DC DE C3 CB DE .àaøÄÅßŒÜÞÃËÞ

000068D0 CD C1 8C CF CD C2 C2 C3 D8 8C CE C9 8C DE D9 C2 ÍÁŒÏÍÂÂÃØŒÎÉŒÞÙÂ

000068E0 8C C5 C2 8C E8 E3 FF 8C C1 C3 C8 C9 82 A1 A1 A6 ŒÅÂŒèãÿŒÁÃÈÉ‚¡¡¦

000068F0 88 AC AC AC AC AC AC AC 01 67 16 BB 45 06 78 E8 ˆ¬¬¬¬¬¬¬.g.»E.xè

00006900 45 06 78 E8 45 06 78 E8 C6 1A 76 E8 49 06 78 E8 E.xèE.xèÆ.vèI.xè

00006910 73 20 72 E8 5F 06 78 E8 27 19 6B E8 40 06 78 E8 s rè_.xè'.kè@.xè

00006920 45 06 79 E8 73 06 78 E8 73 20 73 E8 46 06 78 E8 E.yès.xès sèF.xè

00006930 FE C5 CF C4 45 06 78 E8 AC AC AC AC AC AC AC AC þÅÏÄE.xè¬¬¬¬¬¬¬¬

00006940 AC AC AC AC AC AC AC AC FC E9 AC AC E0 AD AF AC ¬¬¬¬¬¬¬¬üé¬¬à¯¬

00006950 46 64 5F E0 AC AC AC AC AC AC AC AC 4C AC A3 AD Fd_à¬¬¬¬¬¬¬¬L¬£

a.exe xor-encoded within the malicious RTF file

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00006870 00 00 00 00 00 00 00 00 4D 5A 90 00 03 00 00 00 ........MZ.....

00006880 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 ....ÿÿ..¸.......

00006890 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............

000068A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

000068B0 00 00 00 00 D0 00 00 00 0E 1F BA 0E 00 B4 09 CD ....Ð.....º..´.Í

000068C0 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 !¸.LÍ!This progr

000068D0 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E am cannot be run

000068E0 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A in DOS mode....

000068F0 24 00 00 00 00 00 00 00 AD CB BA 17 E9 AA D4 44 $.......Ëº.éªÔD

00006900 E9 AA D4 44 E9 AA D4 44 6A B6 DA 44 E5 AA D4 44 éªÔDéªÔDj¶ÚDåªÔD

00006910 DF 8C DE 44 F3 AA D4 44 8B B5 C7 44 EC AA D4 44 ßŒÞDóªÔD‹µÇDìªÔD

00006920 E9 AA D5 44 DF AA D4 44 DF 8C DF 44 EA AA D4 44 éªÕDßªÔDßŒßDêªÔD

00006930 52 69 63 68 E9 AA D4 44 00 00 00 00 00 00 00 00 RichéªÔD........

00006940 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 ........PE..L...

00006950 EA C8 F3 4C 00 00 00 00 00 00 00 00 E0 00 0F 01 êÈóL........à...

a.exe decoded

On a vulnerable system, upon opening the malicious RTF file, “a.exe” is extracted and executed. However, since my analysis was done on a non-vulnerable system, I had to manually extract the malware for analysis.

In brief, “a.exe” is a dropper that delivers a malicious binary (zl5.exe) to the victim host as well as a benign document (in this case Ó¢ÎÄ.doc). After that, “zl5.exe” takes the reigns. Below is a condensed chronological gist of behavioral activity on the victim host. This gist includes “zl5.exe” and “fxsst.dll”, but those will be discussed in greater detail later.

a.exe

Write

-> C:\Documents and Settings\root\Local Settings\Temp\zl5.exe

-> C:\Documents and Settings\root\Local Settings\Temp\Ó¢ÎÄ.doc

zl5.exe

registry: SetValueKey

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Write

-> C:\Documents and Settings\All Users\Application Data\Windows NT\NtHelpConfig.log

-> C:\WINDOWS\fxsst.dll

-> C:\Documents and Settings\All Users\Application Data\Windows NT\common.cfg

a.exe

process: created

-> C:\Documents and Settings\root\Local Settings\Temp\zl5.exe

WINWORD.EXE

Write

-> C:\Documents and Settings\root\Local Settings\Temp\~$Ó¢ÎÄ.doc

a.exe

process: terminated

-> C:\Documents and Settings\root\Local Settings\Temp\zl5.exe

Network Activity

The victim host attempts to connect to the following domains:

1.test.3322.org.cn

2.test.3322.org.cn

3.test.3322.org.cn

4.test.3322.org.cn

123ewqasdcxz.xicp.net

hoop-america.oicp.net

Since this analysis was conducted from within an enclosed environment, any follow on network activity was not obtained.

More importantly, “zl5.exe” and “fxsst.dll” are both digitally signed (see below) which, from the attackers vantage point, is extremely useful on Mircosoft’s 64-bit operating systems, since it should bypass the User Access Control (UAC) warning prompts for non-digitally signed files.

Aside from being digitally signed, “zl5.exe” is a custom-packed executable that writes the following three objects to disc:

C:\Documents and Settings\All Users\Application Data\Windows NT\NtHelpConfig.log
C:\WINDOWS\fxsst.dll
C:\Documents and Settings\All Users\Application Data\Windows NT\common.cfg

(note: for Vista, Server 2008 and Windows 7: \All Users\Application Data is c:\ ProgramData)

The first, “NTHelpConfig.log” is a static file with its contents displayed below.

tr't

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

!"#$%&'()*+,-./01234u)78C:W<=>

6ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOP

MST=98(t;69/7<

jklmnopqrstuvwxyz{|}~

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTexgvitk\]^_`abcdefghijklmnopqrstuvwxyz{|}~

The other two, “fxsst.dll” and “common.cfg”, are embedded within “zl5.exe”, but since “zl5.exe” is packed, they aren’t compiled until the executable is unpacked in memory. At this point, they are located at virtual memory addresses 004C – 2BF3 and 2BF4 – BDF2 respectively (see below).

008F004C 4D 5A 90 00 03 00 00 00 MZ.... #beginning of “fxsst.dll”

008F0054 04 00 00 00 FF FF 00 00 ...ÿÿ..

008F005C B8 00 00 00 00 00 00 00 ¸.......

008F0064 40 00 00 00 00 00 00 00 @.......

008F006C 00 00 00 00 00 00 00 00 ........

008F0074 00 00 00 00 00 00 00 00 ........

008F007C 00 00 00 00 00 00 00 00 ........

008F0084 00 00 00 00 D8 00 00 00 ....Ø...

008F008C 0E 1F BA 0E 00 B4 09 CD º.´.Í

008F0094 21 B8 01 4C CD 21 54 68 !¸LÍ!Th

008F009C 69 73 20 70 72 6F 67 72 is progr

008F00A4 61 6D 20 63 61 6E 6E 6F am canno

008F00AC 74 20 62 65 20 72 75 6E t be run

008F00B4 20 69 6E 20 44 4F 53 20 in DOS

008F00BC 6D 6F 64 65 2E 0D 0D 0A mode....

008F00C4 24 00 00 00 00 00 00 00 $.......

008F00CC 6F 83 B3 71 2B E2 DD 22 oƒ³q+âÝ"

008F00D4 2B E2 DD 22 2B E2 DD 22 +âÝ"+âÝ"

/// section intentionally excluded ///

008F2BE4 94 10 DD 38 4D 70 20 A2 ”Ý8Mp ¢

008F2BEC 3D BF 74 98 23 84 F6 00 =¿t˜#„ö. #end of “fxsst.dll”

008F2BF4 4D 5A 90 00 03 00 00 00 MZ..#beginning of “common.cfg” (before encoding)

008F2BFC 04 00 00 00 FF FF 00 00 ...ÿÿ..

008F2C04 B8 00 00 00 00 00 00 00 ¸.......

008F2C0C 40 00 00 00 00 00 00 00 @.......

008F2C14 00 00 00 00 00 00 00 00 ........

008F2C1C 00 00 00 00 00 00 00 00 ........

008F2C24 00 00 00 00 00 00 00 00 ........

008F2C2C 00 00 00 00 F8 00 00 00 ....ø...

008F2C34 0E 1F BA 0E 00 B4 09 CD º.´.Í

008F2C3C 21 B8 01 4C CD 21 54 68 !¸LÍ!Th

008F2C44 69 73 20 70 72 6F 67 72 is progr

008F2C4C 61 6D 20 63 61 6E 6E 6F am canno

008F2C54 74 20 62 65 20 72 75 6E t be run

008F2C5C 20 69 6E 20 44 4F 53 20 in DOS

008F2C64 6D 6F 64 65 2E 0D 0D 0A mode....

/// section intentionally excluded ///

008FBDE3 00 00 00 00 00 00 00 00 ........

008FBDEB 00 00 00 00 00 00 00 00 ........ #end of “common.cfg”

When dropped on the victim host “fxsst.dll” remains intact, as shown above, but "common.cfg" does not. Instead, it looks quite garbled after being written to the victim system. This is because it contains a rolling XOR key that varies in both content and length.

Before applying the XOR encoding loop to the unencoded “common.cfg” (displayed above), “zl5.exe” calls “GetTickCount” which retrieves the number of milliseconds that have elapsed since startup (up to 49.7 days). This data is then used to populate the registers EAX and EDX (i.e. 666496 / 6664). These register values ultimately lead to the values used for the encoding loop. It’s important to note, since the data returned from GetTickCount changes with each millisecond, so does the eventual XOR key.

As for the actual encoding, the data stored in EAX and EDX (after the GetTickCount call) is ultimately run through a mathematical routine in which the results are stored in the low byte registers BL and CL. Moreover, the BL and CL values are used to replace the first two bytes (0x4D 0x5A [or MZ]) of the unencoded "common.cfg" file. Of note, the value of CL remains constant from this point forward. After this, the encoding loop starts.

First, the value stored in BL moves to AL, after which EAX is Integer Multiplied by 0x71. Next, the 3^rd byte of “common.cfg” is XOR’d with the value at BL, followed by the value at CL (the constant) being added AL. AL is then stored in BL and loop repeats itself in order to write the 4^th byte. The loop is then repeated to write the 5^th byte, etc.

The diagram below displays the actual encoding functions (setup and loop).

Call For GetTickCount:

00962E54 FF15 E8709600 CALL DWORD PTR DS:[9670E8] ; kernel32.GetTickCount

Registers After GetTickCount:

EAX 00666496

ECX 00000001

EDX 00006664

EBX 00373910

ESP 0012FC6C

EBP 0012FC78

ESI 00862BF4

EDI 0012FC88

EIP 00392E5A

Setup Routine:

00962E5A 8B3D 78719600 MOV EDI,DWORD PTR DS:[967178] ; MSVCRT.rand

00962E60 8945 08 MOV DWORD PTR SS:[EBP+8],EAX

00962E63 FFD7 CALL EDI

00962E65 0345 08 ADD EAX,DWORD PTR SS:[EBP+8]

00962E68 33D2 XOR EDX,EDX

00962E6A B9 FF000000 MOV ECX,0FF

00962E6F F7F1 DIV ECX

00962E71 8BDA MOV EBX,EDX

00962E73 80CB 80 OR BL,80

00962E76 FFD7 CALL EDI

00962E78 8BC8 MOV ECX,EAX

00962E7A 6A 02 PUSH 2

00962E7C 024D 08 ADD CL,BYTE PTR SS:[EBP+8]

00962E7F 5F POP EDI

00962E80 881E MOV BYTE PTR DS:[ESI],BL #Sets value in place of M (0x4D)

00962E82 80E1 7F AND CL,7F

00962E85 80C1 1F ADD CL,1F

00962E88 397D 0C CMP DWORD PTR SS:[EBP+C],EDI

00962E8B 884E 01 MOV BYTE PTR DS:[ESI+1],CL #Sets value in place of Z (0x5A)

00962E8E /76 13 JBE SHORT 00962EA3

Registers Before Encoding Loop:

EAX 00004823

ECX 00004844 # CL becomes byte 01 of “common.cfg”, replacing 0x5A

EDX 000000A0

EBX 000000A0 # BL becomes byte 00 of “common.cfg”, replacing 0x4D, and sets the loop in motion

ESP 0012FC6C

ESP 0012FC78

ESI 00862BF4

EDI 00000002

EIP 00962E90

Encoding Loop:

00962E90 |8AC3 MOV AL,BL

00962E92 |B2 71 MOV DL,71

00962E94 |F6EA IMUL DL

00962E96 |301C37 XOR BYTE PTR DS:[EDI+ESI],BL

00962E99 |02C1 ADD AL,CL

00962E9B |47 INC EDI

00962E9C |8AD8 MOV BL,AL

00962E9E |3B7D 0C CMP EDI,DWORD PTR SS:[EBP+C]

00962EA1 ^|72 ED JB SHORT 00962E90

Getting back to“fxsst.dll”, it is a static, digitally signed DLL that contains SSL certificate data. More importantly, it decodes the “common.cfg”, allowing the victim host to connect out to call back domains embedded within “common.cfg”.

To accomplish this, “fxsst.dll” first reads the first two bytes of the encoded “common.cfg”, placing them in a buffer. It then replaces the first two bytes of “common.cfg” with 0x4D 0x5A (or MZ). The decoding routine (shown below) is then applied using the first byte in the buffer as the starting point for the loop and the second byte as the constant (as discussed earlier). The loop runs until “common.cfg” is decoded back into a functioning DLL then executed in memory. The result is the victim host connecting to the embedded call back domains.

Aside from decoding “common.cfg”, “fxsst.dll” contains SSL certificate data (see below).

Western Cape1

Cape Town1

Thawte Consulting cc1(0&

Certification Services Division1!0

Thawte Premium Server CA1(0&

premium-server@thawte.com0

100208000000Z

200207235959Z0J1

Thawte, Inc.1$0"

Thawte Code Signing CA - G20

,p&7E

rqD=X

n8}v

VeriSignMPKI-2-100

90705

/http://crl.thawte.com/ThawtePremiumServerCA.crl0

b2gV%:

Thawte, Inc.1$0"

Thawte Code Signing CA - G20

120331000000Z

130331235959Z0

Fujian1

Quanzhou1604

-Quanzhou Xiegao Microwave Electronic Co., Ltd1604

-Quanzhou Xiegao Microwave Electronic Co., Ltd0

Now let's get back to the "common.cfg". This file remains resident on the victim host, but (as stated earlier) it is XOR encrypted with a rolling XOR key. And due to the encoding routine, the XOR key is variable in both length and content. For this reason, several “common.cfg” samples are presented below with the XOR key highlighted in red.

common.cfg (8 byte key)

(9737D77717B757F7)

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 D7 90 47 77 14 B7 57 F7 93 37 D7 77 E8 48 57 F7 × Gw ·W÷“7×wèHW÷

00000010 2F 37 D7 77 17 B7 57 F7 D7 37 D7 77 17 B7 57 F7 /7×w ·W÷×7×w ·W÷

00000020 97 37 D7 77 17 B7 57 F7 97 37 D7 77 17 B7 57 F7 —7×w ·W÷—7×w ·W÷

00000030 97 37 D7 77 17 B7 57 F7 97 37 D7 77 EF B7 57 F7 —7×w ·W÷—7×wï·W÷

00000040 99 28 6D 79 17 03 5E 3A B6 8F D6 3B DA 96 03 9F ™(my ^:¶ Ö;Ú– Ÿ

00000050 FE 44 F7 07 65 D8 30 85 F6 5A F7 14 76 D9 39 98 þD÷ eØ0…öZ÷ vÙ9˜

00000060 E3 17 B5 12 37 C5 22 99 B7 5E B9 57 53 F8 04 D7 ã µ 7Å"™·^¹WSø ×

00000070 FA 58 B3 12 39 BA 5A FD B3 37 D7 77 17 B7 57 F7 úX³ 9ºZý³7×w ·W÷

00000080 7E F4 37 03 BA 15 D9 D0 3A 95 59 50 BA 15 D9 D0 ~ô7 º ÙÐ:•YPº ÙÐ

00000090 41 89 55 50 BB 15 D9 D0 B9 89 57 50 BE 15 D9 D0 A‰UP» ÙÐ¹‰WP¾ ÙÐ

000000A0 55 8A 53 50 BE 15 D9 D0 55 8A 52 50 B9 15 D9 D0 UŠSP¾ ÙÐUŠRP¹ ÙÐ

000000B0 55 8A 5D 50 BE 15 D9 D0 3A 95 58 50 29 15 D9 D0 UŠ]P¾ ÙÐ:•XP) ÙÐ

000000C0 58 8A 4A 50 B1 15 D9 D0 21 08 C7 50 BB 15 D9 D0 XŠJP± ÙÐ! ÇP» ÙÐ

000000D0 D2 8A 52 50 BC 15 D9 D0 D2 8A 5D 50 BB 15 D9 D0 ÒŠRP¼ ÙÐÒŠ]P» ÙÐ

000000E0 C5 5E B4 1F BA 15 D9 D0 97 37 D7 77 17 B7 57 F7 Å^´ º ÙÐ—7×w ·W÷

000000F0 97 37 D7 77 17 B7 57 F7 C7 72 D7 77 5B B6 53 F7 —7×w ·W÷Çr×w[¶S÷

00000100 44 3E AF 38 17 B7 57 F7 97 37 D7 77 F7 B7 59 D6 D>¯8 ·W÷—7×w÷·YÖ

00000110 9C 36 D1 77 17 E9 57 F7 97 01 D7 77 17 B7 57 F7 œ6Ñw éW÷— ×w ·W÷

00000120 A0 5D D7 77 17 A7 57 F7 97 47 D7 77 17 B7 57 E7 ]×w §W÷—G×w ·Wç

00000130 97 27 D7 77 17 B5 57 F7 93 37 D7 77 17 B7 57 F7 —'×w µW÷“7×w ·W÷

00000140 92 37 D7 77 17 B7 57 F7 97 F7 D7 77 17 B3 57 F7 ’7×w ·W÷—÷×w ³W÷

00000150 97 37 D7 77 15 B7 57 F7 97 37 C7 77 17 A7 57 F7 —7×w ·W÷—7Çw §W÷

common.cfg (32 byte XOR key)

(7BE3CB331B836BD3BB230B735BC3AB13FB634BB39B03EB533BA38BF3DB432B93)

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 CB 98 5B 33 18 83 6B D3 BF 23 0B 73 A4 3C AB 13 Ë˜[3 ƒkÓ¿# s¤<«

00000010 43 63 4B B3 9B 03 EB 53 7B A3 8B F3 DB 43 2B 93 CcK³› ëS{£‹óÛC+“

00000020 7B E3 CB 33 1B 83 6B D3 BB 23 0B 73 5B C3 AB 13 {ãË3 ƒkÓ»# s[Ã«

00000030 FB 63 4B B3 9B 03 EB 53 3B A3 8B F3 23 43 2B 93 ûcK³› ëS;£‹ó#C+“

00000040 75 FC 71 3D 1B 37 62 1E 9A 9B 0A 3F 96 E2 FF 7B uüq= 7b š› ?–âÿ{

00000050 92 10 6B C3 E9 6C 8C 21 5A CE AB 90 BA 2D 45 FC ’ kÃélŒ!ZÎ« º-Eü

00000070 96 0C 2F D6 B5 0E E6 59 1F A3 8B F3 DB 43 2B 93 – /Öµ æY £‹óÛC+“

00000080 92 20 2B 47 B6 21 E5 F4 16 81 85 54 F6 61 25 34 ’ +G¶!åô …Töa%4

00000090 2D DD C9 94 37 A1 65 74 15 1D 0B D4 72 E1 A5 B4 -ÝÉ”7¡et Ôrá¥´

000000A0 B9 5E 4F 14 B2 21 E5 F4 79 9E 8E 54 F5 61 25 34 ¹^O ²!åôyžŽTõa%4

000000B0 39 DE C1 94 32 A1 65 74 96 01 04 D4 E5 E1 A5 B4 9ÞÁ”2¡et– Ôåá¥´

000000C0 B4 5E 56 14 BD 21 E5 F4 0D 1C 1B 54 F7 61 25 34 ´^V ½!åô T÷a%4

000000D0 BE DE CE 94 30 A1 65 74 7E 1E 01 D4 77 E1 A5 B4 ¾ÞÎ”0¡et~ Ôwá¥´

000000E0 29 8A A8 5B B6 21 E5 F4 BB 23 0B 73 5B C3 AB 13 )Š¨[¶!åô»# s[Ã«

000000F0 FB 63 4B B3 9B 03 EB 53 6B E6 8B F3 97 42 2F 93 ûcK³› ëSkæ‹ó—B/“

00000100 A8 EA B3 7C 1B 83 6B D3 BB 23 0B 73 BB C3 A5 32 ¨ê³| ƒkÓ»# s»Ã¥2

00000110 F0 62 4D B3 9B 5D EB 53 3B 95 8B F3 DB 43 2B 93 ðbM³›]ëS;•‹óÛC+“

00000120 4C 89 CB 33 1B 93 6B D3 BB 53 0B 73 5B C3 AB 03 L‰Ë3 “kÓ»S s[Ã«

00000130 FB 73 4B B3 9B 01 EB 53 3F A3 8B F3 DB 43 2B 93 ûsK³› ëS?£‹óÛC+“

00000140 7E E3 CB 33 1B 83 6B D3 BB E3 0B 73 5B C7 AB 13 ~ãË3 ƒkÓ»ã s[Ç«

00000150 FB 63 4B B3 99 03 EB 53 3B A3 9B F3 DB 53 2B 93 ûcK³™ ëS;£›óÛS+“

00000160 7B E3 DB 33 1B 93 6B D3 BB 23 0B 73 4B C3 AB 13 {ãÛ3 “kÓ»# sKÃ«

00000170 8B E0 4B B3 DD 03 EB 53 0B D4 8B F3 7B 43 2B 93 ‹àK³Ý ëS Ô‹ó{C+“

00000180 7B E3 CB 33 1B 83 6B D3 BB 23 0B 73 5B C3 AB 13 {ãË3 ƒkÓ»# s[Ã«

00000190 FB 63 4B B3 9B 03 EB 53 3B 13 8B F3 E3 45 2B 93 ûcK³› ëS; ‹óãE+“

000001A0 7B E3 CB 33 1B 83 6B D3 BB 23 0B 73 5B C3 AB 13 {ãË3 ƒkÓ»# s[Ã«

000001B0 FB 63 4B B3 9B 03 EB 53 3B A3 8B F3 DB 43 2B 93 ûcK³› ëS;£‹óÛC+“

common.cfg (256 byte XOR key)

(4B3C9D6EAF608112138465B677A8495ADBCC2DFE3FF011A2A314F5460738D9EA6B5CBD8ECF80A

13233A485D697C8697AFBEC4D1E5F1031C2C33415662758F90A8B7CDDAEEFA0C15253C4A5F6B7

E8899A1B0C6D3E7F3051E2E35435864778192AAB9CFDCE0FC0E17273E4C516D708A9BA3B2C8D5

E9F507102037455A66798394ACBBC1DEE2FE001929304E536F728C9DA5B4CAD7EBF7091222394

75C687B8596AEBDC3D0E4F0021B2B32405561748E9FA7B6CCD9EDF90B14243B495E6A7D8798A0

BFC5D2E6F2041D2D34425763768091A9B8CEDBEFFB0D16263D4B506C7F899AA2B1C7D4E8F4061

F2F36445965788293ABBAC0DDE1FD0F18283F4D526E718B9CA)

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 9D 21 0D 6E AC 60 81 12 17 84 65 B6 88 57 49 5A ! n¬` „e¶ˆWIZ

00000010 63 CC 2D FE 3F F0 11 A2 E3 14 F5 46 07 38 D9 EA cÌ-þ?ð ¢ã õF 8Ùê

00000020 6B 5C BD 8E CF 80 A1 32 33 A4 85 D6 97 C8 69 7A k\½ŽÏ€¡23¤…Ö—Èiz

00000030 FB EC 4D 1E 5F 10 31 C2 C3 34 15 66 DF 58 F9 0A ûìM _ 1ÂÃ4 fßXù

00000040 85 63 67 A0 EF 14 C8 9F 72 7C A4 BA 7A C9 DD F2 …cg ï ÈŸr|¤ºzÉÝò

00000050 72 7F 4D 4E 0D 5F 36 90 82 39 15 E5 26 16 77 45 r MN _6 ‚9 å& wE

/// section excluded intentionally ///

000090C0 0B FC 5D 2E 6F 20 41 D2 D3 44 25 76 37 68 09 1A ü].o AÒÓD%v7h

000090D0 9B 8C ED BE FF B0 D1 62 63 D4 B5 06 C7 F8 99 AA ›Œí¾ÿ°ÑbcÔµ Çø™ª

000090E0 2B 1C 7D 4E 8F 40 61 F2 F3 64 45 96 57 88 29 3A + }N@aòódE–Wˆ):

000090F0 BB AC 0D DE 1F D0 F1 82 83 F4 D5 26 E7 18 B9 CA »¬ Þ Ðñ‚ƒôÕ&ç ¹Ê

00009100 4B 3C 9D 6E AF 60 81 12 13 84 65 B6 77 A8 49 5A K<n¯` „e¶w¨IZ

00009110 DB CC 2D FE 3F F0 11 A2 A3 14 F5 46 07 38 D9 EA ÛÌ-þ?ð ¢£ õF 8Ùê

00009120 6B 5C BD 8E CF 80 A1 32 33 A4 85 D6 97 C8 69 7A k\½ŽÏ€¡23¤…Ö—Èiz

00009130 FB EC 4D 1E 5F 10 31 C2 C3 34 15 66 27 58 F9 0A ûìM _ 1ÂÃ4 f'Xù

00009140 8B 7C DD AE EF A0 C1 52 53 C4 A5 F6 B7 E8 89 9A ‹|Ý®ï ÁRSÄ¥ö·è‰š

00009150 1B 0C 6D 3E 7F 30 51 E2 E3 54 35 86 47 78 19 2A m>0QâãT5†Gx *

00009170 3B 2C 8D 5E 9F 50 71 02 03 74 55 A6 67 98 39 4A ;,^ŸPq tU¦g˜9J

00009180 CB BC 1D EE 2F E0 01 92 93 04 E5 36 F7 28 C9 DA Ë¼ î/à ’“ å6÷(ÉÚ

00009190 5B 4C AD 7E BF 70 91 22 23 94 75 C6 87 B8 59 6A [L~¿p‘"#”uÆ‡¸Yj

000091A0 EB DC 3D 0E 4F 00 21 B2 B3 24 05 56 17 48 E9 FA ëÜ= O !²³$ V Héú

000091B0 7B 6C CD 9E DF 90 B1 42 43 B4 95 E6 A7 D8 79 8A {lÍžß±BC´•æ§ØyŠ

000091C0 0B FC 5D 2E 6F 20 41 D2 D3 44 25 76 37 68 09 1A ü].o AÒÓD%v7h

000091D0 9B 8C ED BE FF B0 D1 62 63 D4 B5 06 C7 F8 99 AA ›Œí¾ÿ°ÑbcÔµ Çø™ª

000091E0 2B 1C 7D 4E 8F 40 61 F2 F3 64 45 96 57 88 29 3A + }N@aòódE–Wˆ):

000091F0 BB AC 0D DE 1F D0 F1 82 83 F4 D5 26 E7 18 B9 CA »¬ Þ Ðñ‚ƒôÕ&ç ¹Ê

(note: since this key is so large, it isn't visible in its entirety until the end of the binary which contains a ton of nulls)

=================================================================

File: a.exe (embedded within inside information.doc [xor encrypted with 0xAC])
Size: 99839
MD5: 20c764dfa4363c6941d8f30cff20c86b
SHA1: 8abfbd6be596ef2212dec1af3fd2297c1b767b2f
ssdeep: 1536:O1bN3xPqxoOD8o90C87dBpwwDod7oisfBxaZsJ:O1/Sxo2uNBpw1dOfBxaZ4
Compile Time: 4CF3C8EA (Mon, 29 November 2010 15:38:18 UTC)
Compile Version: Microsoft Visual C++ 6.0 [Overlay]

File: fxsst.dll
Size: 11176
MD5: c9d22e2ea93248097f88346c6cd31a32
SHA1: 4c86ca6c46cc675585cf4b0c3486216dd83bdbbe
ssdeep: 192:oAsSLYyZ/66/jUz0Yu+u7xcTtkwMk8yi8qnNKWe0:HFYylJQoYPugWwMD8sKB0
Compile Time: 4F7809DE (Sun, 01 April 2012 07:55:10 UTC)
Compile Version: Microsoft Visual C++ 6.0 DLL [Overlay]

File: zl5.exe
Size: 46040
MD5: d7549732c7e9446bdeb7cf93a08b0eeb
SHA1: 550769657d599364a4c055bc24d43a09f572b063
ssdeep: 768:TD7MhWi0GMQWRniDQt9by6RxKw3792I3EG+a/Gcl8w9Ys4sxVWwk8szx:T2WRGMQOi/6aI9r40acRAwkz
Compile Time: 4F7809D2 (Sun, 01 April 2012 07:54:58 UTC)
Compile Version: Microsoft Visual C++ 6.0 DLL [Overlay]

File: Ó¢ÎÄ.doc
Size: 16384
MD5: 0d6d94001483c7bc7650ab2a3e98427a
SHA1: 3b7a79330b55a6b95860882fc5ef44a932c461df
ssdeep: 48:rLhvUVUVxB6GgacNlH01LkmSjDn4LmqbT0JS9:x8UVxQG1cNB01LlSXqbYJY

File: NtHelpConfig.log
Size: 1380
MD5: c24d8bdcabfa3a460fe09a201e83f620
SHA1: 4c2b95be83780ccea1c4bc9245768bb2844450f0
ssdeep: 24:bOzHem7muTL2fvmT+OmvmLeO22LSeKufL6uS+iv+7ym2/eL+u2/m7muTL2fvmT++:037fTL3TDfLTTLTDfLTTf7fTL377fTLt

File: common.cfg (XOR encrypted DLL)
Size: 37376
MD5: variable

File: common.cfg (XOR decrypted DLL)
Size: 37376
MD5: 8c7172d476890cbd1ef0b4d704f7f0d9
SHA1: 28dd1b0328a6388f9d74266fe00ba687a53401d9
ssdeep: 768:wcCMyXTTaIifnV/SS5F1Xbmn8ziqvKwnWHCx52Z:9SCIuwsF1q8rvKwnDxgZ
Compile Time: 4F7809D3 (Sun, 01 April 2012 07:54:59 UTC)
Compile Version: Microsoft Visual C++ 6.0 DLL

Byt0r's Place

Monday, June 11, 2012

"inside information.doc" (zl5.exe, fxsst.dll, common.cfg)

2 comments:

Total Pageviews